User Authorization
RIG supports the JSON Web Tokens (JWT) standard for authorizing users when forwarding HTTP requests, or when handling event subscription or submission requests.
Note that RIG does not do authentication - you will need to provide a service for that yourself. This means that RIG does not create any tokens on its own. Given a JWT, RIG only checks its validity, using a shared secret key or a public key, depending on the algorithm used. Please refer to the Operator's Guide for the corresponding configuration options.
Also note the following:
- For incoming HTTP requests, JWT validation can be enabled on a per endpoint basis using the
secured
option. - Event subscriptions can be secured using JWT validation by setting
SUBSCRIPTION_CHECK
tojwt_validation
. - Likewise, event submissions can be secured using JWT validation by setting
SUBMISSION_CHECK
tojwt_validation
.
Again, refer to the Operator's Guide for details on those environment variables.
Key Length
For symmetric hashing (HS256, RS256), please make sure you are using keys of appropriate length, as described in the spec. For example, if you use HS256, your secret key should be at least 32 character (256 bit) in length.
Example
Example of a minimal JWT:
// Header:
{
"alg": "HS256",
"typ": "JWT"
}
// Payload:
{
"exp": 99999999
}